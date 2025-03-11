Microsoft has dropped a grand total of 57 fixes to mark the third Patch Tuesday update of 2025 – rising to closer to 70 when third-party vulns are taken into account – including six zero-days and six critical flaws needing urgent attention.

The zero-days comprise a security feature bypass in Microsoft Management Console, two remote code execution (RCE) issues in Windows Fast FAT File System Driver and Windows NTFS, two information disclosure vulnerabilities in Windows NTFS, and a privilege escalation flaw in Windows Win32 Kernel Subsystem.

All are listed as exploited by Microsoft, but have not yet been made public, and all are considered to be important in their severity, carrying CVSS scores that range from 4.6 to 7.8.

A seventh vulnerability, an RCE issue in Windows Access, has been listed as public but does not appear to be actively exploited at the time of writing.

The six critical vulnerabilities, carrying CVSS scores of 7.8 through 8.8, are all RCE flaws. Two of them affect Windows Remote Desktop Services, and the four others relate to Microsoft Office, Windows Domain Name Service, Remote Desktop Client, and Windows Subsystem for Linux Kernel.

“All six of the vulnerabilities that Microsoft has labelled as exploit detected are resolved with the monthly cumulative update,” said Tyler Reguly, Fortra associate director of security research and development.

“This means a single update to roll out to fix all of these at once. Thankfully, none of them require post-patch configuration steps. The same is true for five of the six critical severity vulnerabilities. A lot of our important fixes come from the same patch.

“The remaining critical vulnerability, CVE-2025-24057, and the publicly disclosed vulnerability, CVE-2025-26630, both require Office updates. For those running click-to-run, there’s not a lot to do, but for those running Office 2016, there are two patches to install, one for Office and one for Access,” he added.

Reguly said that fortunately, this limited the amount of patching needed to resolve the attention-grabbing flaws. “However,” he said, “they are big ticket items and with headlines likely to state, Microsoft Patches Six 0-Day Vulnerabilities, admins will likely have a lot of questions to answer about the state of their patching.”